diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json
index 338bb9c..a4bd9a3 100644
--- a/nodes/andromeda.kosmos.org.json
+++ b/nodes/andromeda.kosmos.org.json
@@ -24,9 +24,9 @@
     "ipaddress": "46.4.18.160",
     "roles": [
       "base",
-      "postgresql_primary",
       "mastodon",
-      "ejabberd"
+      "ejabberd",
+      "postgresql_client"
     ],
     "recipes": [
       "kosmos-base",
@@ -130,7 +130,6 @@
     "recipe[kosmos-base::andromeda_firewall]",
     "recipe[kosmos-ipfs]",
     "recipe[kosmos-ipfs::public_gateway]",
-    "role[postgresql_primary]",
     "recipe[kosmos-btcpayserver::proxy]",
     "role[mastodon]",
     "role[ejabberd]",
diff --git a/roles/mastodon.rb b/roles/mastodon.rb
index 44bbcdc..5bb39e4 100644
--- a/roles/mastodon.rb
+++ b/roles/mastodon.rb
@@ -3,4 +3,5 @@ name "mastodon"
 run_list %w(
   kosmos-mastodon
   kosmos-mastodon::nginx
+  role[postgresql_client]
 )
diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb
index b3c9f4f..8055b8b 100644
--- a/site-cookbooks/kosmos-postgresql/recipes/default.rb
+++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb
@@ -64,6 +64,13 @@ postgresql_clients.each do |client|
     access_method "md5"
     notifies :reload, "service[#{postgresql_service}]", :immediately
   end
+
+  firewall_rule "postgresql #{hostname}" do
+    port        5432
+    protocol    :tcp
+    command     :allow
+    source ip
+  end
 end
 
 postgresql_replicas.each do |replica|